How open-source can improve cloud security

Security is often cited as hindrance to adopting cloud computing, but a cloud environment that makes use of open-source software could actually improve security, according to a panel of experts.

Open-source software can give organizations a greater universe of expertise to draw on, which can come in particularly handy when they’ve been hit by a cyberattack, said Gary Galloway, deputy director of the State Department’s Office of Information Assurance.

Ninety-nine percent of organizations have been hacked or attacked, he said. When that happens, the security team has to bring in experts from the security providers whose products they are using to help solve the problem.

“If you have an open-source version of Linux, you don’t necessarily have to go to a proprietary vendor and find experts,” he said during a discussion on open-source and cloud computing at the Red Hat Government Symposium held by FedScoop at the Newseum in Washington, D.C., Nov. 16.

“You have a wide range of expertise” to come in to help fix the problem, Galloway said. One example: You might be able to use an intern who is a math or engineering major at the Massachusetts Institute of Technology.

Regardless of whether it is an intern or someone else, it should be someone with experience in solving security problems, said John Weiler, managing director of IT Acquisition Advisory Council, an association working to improve government procurement issues.

The point is that you have access to a wide range of expertise, Galloway said.

Open-source software has forged partnerships between industry and the public sector, said Chris Runge, senior director of solutions architects with Red Hat. He cited the work with the National Security Agency and other organizations 10 years ago to develop a secure version of the Linux operating system, now known as Security-Enhanced Linux, or SELinux.

Red Hat, for its part, has developed new technology that extends access control down into the hypervisor that manages virtual machines, Runge said, noting that hypervisors are becoming the attack vector people are going after.

Opponents of cloud computing use security as an reason to avoid moving to the on-demand computing model, but in many cases that is a cultural response not based on evidence or fact, Weiler said.

Security practitioners are measured based on how well they prevent occurrences of insecurity, he said. More real-world analysis should be done on the security posture of existing systems, which might be 10 times more insecure than moving to a new system that has 1 percent of security exposure, Weiler said.

There needs to be more real-world analysis where organizations are measuring if they can afford perfection at any point in time and analyzing how secure are the legacy systems and the cost of maintaining that security posture, he said.